ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-users: Re: [Wireshark-users] IPv6 Geo info

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Gisle Vanem <gvanem@xxxxxxxxxxxx>
Date: Thu, 06 Oct 2011 19:32:59 +0200
"Gerald Combs" <gerald@xxxxxxxxxxxxx> wrote:


Until today Wireshark's GeoIP code only supported the IPv4 versions of
the GeoIP databases. I checked in changes in r39280 to r39284 to add
support for their IPv6 counterparts.


I just got the latest SVN and built the MSVC version. But I cannot see any
geo-info for 6to4-addresses. I.e. IPv6 inside IPv4 (protocol 41) doesn't show any GeoIP-info. That is the only way here on my Win-XP box. E.g.: 

Internet Protocol Version 4, Src: 173.195.0.231 (173.195.0.231), Dst: 192.88.99.1 (192.88.99.1)
   Version: 4
   Header length: 20 bytes
   Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
       0000 00.. = Differentiated Services Codepoint: Default (0x00)
       .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
   Total Length: 112
   Identification: 0x5a7e (23166)
   Flags: 0x00
       0... .... = Reserved bit: Not set
       .0.. .... = Don't fragment: Not set
       ..0. .... = More fragments: Not set
   Fragment offset: 0
   Time to live: 128
   Protocol: IPv6 (41)
   Header checksum: 0x0de3 [correct]
       [Good: True]
       [Bad: False]
   Source: 173.195.0.231 (173.195.0.231)
   Destination: 192.88.99.1 (192.88.99.1)
   [Source GeoIP: United States, AS13926 Reliablehosting.com, New York, NY, 40.688801, -74.020302]
       [Source GeoIP Country: United States]
       [Source GeoIP AS Number: AS13926 Reliablehosting.com]
       [Source GeoIP City: New York, NY]
       [Source GeoIP Latitude: 40.688801]
       [Source GeoIP Longitude: -74.020302]
   [Destination GeoIP: AS559 SWITCH, Swiss Education and Research Network]
       [Destination GeoIP AS Number: AS559 SWITCH, Swiss Education and Research Network]
Internet Protocol Version 6, Src: 2002:adc3:e7::adc3:e7 (2002:adc3:e7::adc3:e7), Dst: fec0:0:0:ffff::1 (fec0:0:0:ffff::1)
   0110 .... = Version: 6
       [0110 .... = This field makes the filter "ip.version == 6" possible: 6]
   .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000
       .... 0000 00.. .... .... .... .... .... = Differentiated Services Field: Default (0x00000000)
       .... .... ..0. .... .... .... .... .... = ECN-Capable Transport (ECT): Not set
       .... .... ...0 .... .... .... .... .... = ECN-CE: Not set
   .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
   Payload length: 52
   Next header: UDP (0x11)
   Hop limit: 128
   Source: 2002:adc3:e7::adc3:e7 (2002:adc3:e7::adc3:e7)
   [Source 6to4 Gateway IPv4: 173.195.0.231 (173.195.0.231)]
   [Source 6to4 SLA ID: 0]
   Destination: fec0:0:0:ffff::1 (fec0:0:0:ffff::1)
I guess this is as designed. But in 6to4, isn't there a possibility that the inner src/dst addresses can have different geo-location than the outer addresses? I read in [1] 
about relay/border routers, but failed to grasp all of it.

Btw. The dst-ip above 192.88.99.1 is an anycast address which should have
no geo-info AFAICS. So what is the "AS559 SWITCH, Swiss Education and Research Network"
doing there?

[1] http://en.wikipedia.org/wiki/6to4

--gv
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube